<meta charset="utf-8">
(#) Application uses non-cryptographically secure pseudorandom number generators

!!! WARNING: Application uses non-cryptographically secure pseudorandom number generators
   This is a warning.

Id
:   `WeakPrng`
Summary
:   Application uses non-cryptographically secure pseudorandom number generators
Severity
:   Warning
Category
:   Security
Platform
:   Any
Vendor
:   Google - Android 3P Vulnerability Research
Contact
:   https://github.com/google/android-security-lints
Feedback
:   https://github.com/google/android-security-lints/issues
Min
:   Lint 4.1
Compiled
:   Lint 8.0 and 8.1
Artifact
:   [com.android.security.lint:lint](com_android_security_lint_lint.md.html)
Since
:   1.0.1
Affects
:   Kotlin and Java files
Editing
:   This check runs on the fly in the IDE editor
See
:   https://goo.gle/WeakPrng
Implementation
:   [Source Code](https://github.com/google/android-security-lints/tree/main/checks/src/main/java/com/example/lint/checks/WeakPrngDetector.kt)
Tests
:   [Source Code](https://github.com/google/android-security-lints/tree/main/checks/src/test/java/com/example/lint/checks/WeakPrngDetectorTest.kt)
Copyright Year
:   2023

If a non-cryptographically secure pseudorandom number generator (PRNG)
is used in a security context like authentication, an attacker may be
able to guess the randomly-generated numbers and gain access to
privileged data or functionality.

!!! Tip
   This lint check has an associated quickfix available in the IDE.

(##) Example

Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
src/fake/pkg/TestWeakPrngDetector.java:7:Warning: Math.random relies on
a weak PRNG, use java.util.Random for non-security contexts and
java.security.SecureRandom for security / authentication purposes
[WeakPrng]
    int random = Math.random() * 100;
                 -------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is the source file referenced above:

`src/fake/pkg/TestWeakPrngDetector.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package fake.pkg;

import java.lang.Math;

public class TestWeakPrngDetector {
    private void foo() {
        int random = Math.random() * 100;
    }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can also visit the
[source code](https://github.com/google/android-security-lints/tree/main/checks/src/test/java/com/example/lint/checks/WeakPrngDetectorTest.kt)
for the unit tests for this check to see additional scenarios.

The above example was automatically extracted from the first unit test
found for this lint check, `WeakPrngDetector.testWhenMathRandomUsed_showsWarningAndQuickFix`.
To report a problem with this extracted sample, visit
https://github.com/google/android-security-lints/issues.

(##) Including

!!!
   This is not a built-in check. To include it, add the below dependency
   to your project. This lint check is included in the lint documentation,
   but the Android team may or may not agree with its recommendations.

```
// build.gradle.kts
lintChecks("com.android.security.lint:lint:1.0.3")

// build.gradle
lintChecks 'com.android.security.lint:lint:1.0.3'

// build.gradle.kts with version catalogs:
lintChecks(libs.com.android.security.lint.lint)

# libs.versions.toml
[versions]
com-android-security-lint-lint = "1.0.3"
[libraries]
# For clarity and text wrapping purposes the following declaration is
# shown split up across lines, but in TOML it needs to be on a single
# line (see https://github.com/toml-lang/toml/issues/516) so adjust
# when pasting into libs.versions.toml:
com-android-security-lint-lint = {
    module = "com.android.security.lint:lint",
    version.ref = "com-android-security-lint-lint"
}
```

1.0.3 is the version this documentation was generated from;
there may be newer versions available.

[Additional details about com.android.security.lint:lint](com_android_security_lint_lint.md.html).
(##) Suppressing

You can suppress false positives using one of the following mechanisms:

* Using a suppression annotation like this on the enclosing
  element:

  ```kt
  // Kotlin
  @Suppress("WeakPrng")
  fun method() {
     random(...)
  }
  ```

  or

  ```java
  // Java
  @SuppressWarnings("WeakPrng")
  void method() {
     random(...);
  }
  ```

* Using a suppression comment like this on the line above:

  ```kt
  //noinspection WeakPrng
  problematicStatement()
  ```

* Using a special `lint.xml` file in the source tree which turns off
  the check in that folder and any sub folder. A simple file might look
  like this:
  ```xml
  &lt;?xml version="1.0" encoding="UTF-8"?&gt;
  &lt;lint&gt;
      &lt;issue id="WeakPrng" severity="ignore" /&gt;
  &lt;/lint&gt;
  ```
  Instead of `ignore` you can also change the severity here, for
  example from `error` to `warning`. You can find additional
  documentation on how to filter issues by path, regular expression and
  so on
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).

* In Gradle projects, using the DSL syntax to configure lint. For
  example, you can use something like
  ```gradle
  lintOptions {
      disable 'WeakPrng'
  }
  ```
  In Android projects this should be nested inside an `android { }`
  block.

* For manual invocations of `lint`, using the `--ignore` flag:
  ```
  $ lint --ignore WeakPrng ...`
  ```

* Last, but not least, using baselines, as discussed
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>